

<!DOCTYPE html>
<html lang="zh-CN" data-default-color-scheme=auto>



<head>
  <meta charset="UTF-8">
  <link rel="apple-touch-icon" sizes="76x76" href="/img/fluid.png">
  <link rel="icon" href="/img/fluid.png">
  <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0, shrink-to-fit=no">
  <meta http-equiv="x-ua-compatible" content="ie=edge">
  
  <meta name="theme-color" content="#2f4154">
  <meta name="author" content="Jiashi">
  <meta name="keywords" content="">
  
    <meta name="description" content="环境变量攻击环境变量定义 一组动态的定义值； 操作系统运行环境的一部分； 影响正在运行进程的行为方式（加载哪些外部DLL）； 在Unix中提出，也被微软操作系统采用">
<meta property="og:type" content="article">
<meta property="og:title" content="Environment-variable-attack">
<meta property="og:url" content="https://jiashi19.gitee.io/2024/02/01/Environment-variable-attack/index.html">
<meta property="og:site_name" content="Blog from js19">
<meta property="og:description" content="环境变量攻击环境变量定义 一组动态的定义值； 操作系统运行环境的一部分； 影响正在运行进程的行为方式（加载哪些外部DLL）； 在Unix中提出，也被微软操作系统采用">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://s2.loli.net/2024/02/12/ZSOTq4bIvodnzNG.png">
<meta property="og:image" content="https://jiashi19.gitee.io/img/5rLOqIHSgAGn3TQ.png">
<meta property="article:published_time" content="2024-02-01T01:09:18.000Z">
<meta property="article:modified_time" content="2024-02-11T19:36:57.401Z">
<meta property="article:author" content="Jiashi">
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:image" content="https://s2.loli.net/2024/02/12/ZSOTq4bIvodnzNG.png">
  
  
    <meta name="referrer" content="no-referrer-when-downgrade">
  
  
  <title>Environment-variable-attack - Blog from js19</title>

  <link  rel="stylesheet" href="https://lib.baomitu.com/twitter-bootstrap/4.6.1/css/bootstrap.min.css" />



  <link  rel="stylesheet" href="https://lib.baomitu.com/github-markdown-css/4.0.0/github-markdown.min.css" />

  <link  rel="stylesheet" href="https://lib.baomitu.com/hint.css/2.7.0/hint.min.css" />

  <link  rel="stylesheet" href="https://lib.baomitu.com/fancybox/3.5.7/jquery.fancybox.min.css" />



<!-- 主题依赖的图标库，不要自行修改 -->
<!-- Do not modify the link that theme dependent icons -->

<link rel="stylesheet" href="//at.alicdn.com/t/font_1749284_hj8rtnfg7um.css">



<link rel="stylesheet" href="//at.alicdn.com/t/font_1736178_lbnruvf0jn.css">


<link  rel="stylesheet" href="/css/main.css" />


  <link id="highlight-css" rel="stylesheet" href="/css/highlight.css" />
  
    <link id="highlight-css-dark" rel="stylesheet" href="/css/highlight-dark.css" />
  




  <script id="fluid-configs">
    var Fluid = window.Fluid || {};
    Fluid.ctx = Object.assign({}, Fluid.ctx)
    var CONFIG = {"hostname":"jiashi19.gitee.io","root":"/","version":"1.9.5-a","typing":{"enable":true,"typeSpeed":70,"cursorChar":"_","loop":false,"scope":[]},"anchorjs":{"enable":true,"element":"h1,h2,h3,h4,h5,h6","placement":"left","visible":"hover","icon":""},"progressbar":{"enable":true,"height_px":3,"color":"#29d","options":{"showSpinner":false,"trickleSpeed":100}},"code_language":{"enable":true,"default":"TEXT"},"copy_btn":true,"image_caption":{"enable":true},"image_zoom":{"enable":true,"img_url_replace":["",""]},"toc":{"enable":true,"placement":"right","headingSelector":"h1,h2,h3,h4,h5,h6","collapseDepth":0},"lazyload":{"enable":true,"loading_img":"/img/loading.gif","onlypost":false,"offset_factor":2},"web_analytics":{"enable":false,"follow_dnt":true,"baidu":null,"google":{"measurement_id":null},"tencent":{"sid":null,"cid":null},"woyaola":null,"cnzz":null,"leancloud":{"app_id":null,"app_key":null,"server_url":null,"path":"window.location.pathname","ignore_local":false}},"search_path":"/local-search.xml","include_content_in_search":true};

    if (CONFIG.web_analytics.follow_dnt) {
      var dntVal = navigator.doNotTrack || window.doNotTrack || navigator.msDoNotTrack;
      Fluid.ctx.dnt = dntVal && (dntVal.startsWith('1') || dntVal.startsWith('yes') || dntVal.startsWith('on'));
    }
  </script>
  <script  src="/js/utils.js" ></script>
  <script  src="/js/color-schema.js" ></script>
  


  
<meta name="generator" content="Hexo 6.3.0"></head>


<body>
  

  <header>
    

<div class="header-inner" style="height: 70vh;">
  <nav id="navbar" class="navbar fixed-top  navbar-expand-lg navbar-dark scrolling-navbar">
  <div class="container">
    <a class="navbar-brand" href="/">
      <strong>jiashi&#39;s blog</strong>
    </a>

    <button id="navbar-toggler-btn" class="navbar-toggler" type="button" data-toggle="collapse"
            data-target="#navbarSupportedContent"
            aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
      <div class="animated-icon"><span></span><span></span><span></span></div>
    </button>

    <!-- Collapsible content -->
    <div class="collapse navbar-collapse" id="navbarSupportedContent">
      <ul class="navbar-nav ml-auto text-center">
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/">
                <i class="iconfont icon-home-fill"></i>
                <span>首页</span>
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/archives/">
                <i class="iconfont icon-archive-fill"></i>
                <span>归档</span>
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/categories/">
                <i class="iconfont icon-category-fill"></i>
                <span>分类</span>
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/tags/">
                <i class="iconfont icon-tags-fill"></i>
                <span>标签</span>
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/about/">
                <i class="iconfont icon-user-fill"></i>
                <span>关于</span>
              </a>
            </li>
          
        
        
          <li class="nav-item" id="search-btn">
            <a class="nav-link" target="_self" href="javascript:;" data-toggle="modal" data-target="#modalSearch" aria-label="Search">
              <i class="iconfont icon-search"></i>
            </a>
          </li>
          
        
        
          <li class="nav-item" id="color-toggle-btn">
            <a class="nav-link" target="_self" href="javascript:;" aria-label="Color Toggle">
              <i class="iconfont icon-dark" id="color-toggle-icon"></i>
            </a>
          </li>
        
      </ul>
    </div>
  </div>
</nav>

  

<div id="banner" class="banner" parallax=true
     style="background: url('/img/default.png') no-repeat center center; background-size: cover;">
  <div class="full-bg-img">
    <div class="mask flex-center" style="background-color: rgba(0, 0, 0, 0.3)">
      <div class="banner-text text-center fade-in-up">
        <div class="h2">
          
            <span id="subtitle" data-typed-text="Environment-variable-attack"></span>
          
        </div>

        
          
  <div class="mt-3">
    
    
      <span class="post-meta">
        <i class="iconfont icon-date-fill" aria-hidden="true"></i>
        <time datetime="2024-02-01 09:09" pubdate>
          2024年2月1日 上午
        </time>
      </span>
    
  </div>

  <div class="mt-1">
    
      <span class="post-meta mr-2">
        <i class="iconfont icon-chart"></i>
        
          1.7k 字
        
      </span>
    

    
      <span class="post-meta mr-2">
        <i class="iconfont icon-clock-fill"></i>
        
        
        
          14 分钟
        
      </span>
    

    
    
  </div>


        
      </div>

      
    </div>
  </div>
</div>

</div>

  </header>

  <main>
    
      

<div class="container-fluid nopadding-x">
  <div class="row nomargin-x">
    <div class="side-col d-none d-lg-block col-lg-2">
      

    </div>

    <div class="col-lg-8 nopadding-x-md">
      <div class="container nopadding-x-md" id="board-ctn">
        <div id="board">
          <article class="post-content mx-auto">
            <h1 id="seo-header">Environment-variable-attack</h1>
            
            
              <div class="markdown-body">
                
                <h1 id="环境变量攻击"><a href="#环境变量攻击" class="headerlink" title="环境变量攻击"></a>环境变量攻击</h1><h2 id="环境变量定义"><a href="#环境变量定义" class="headerlink" title="环境变量定义"></a>环境变量定义</h2><ul>
<li>一组动态的定义值；</li>
<li>操作系统运行环境的一部分；</li>
<li>影响正在运行进程的行为方式（加载哪些外部DLL）；</li>
<li>在Unix中提出，也被微软操作系统采用</li>
</ul>
<span id="more"></span>

<p> 示例：PATH变量<br> 当执行一个程序时，如果没有提供完整的路径，shell进程将使用环境变量来找到程序的位置。</p>
<h2 id="进程与环境变量"><a href="#进程与环境变量" class="headerlink" title="进程与环境变量"></a>进程与环境变量</h2><p>进程可以通过以下两种方式来获取环境变量：<br>如果使用<strong>fork()<strong>创建了一个新进程，则子进程将继承其父进程的环境变量。<br>如果进程使用</strong>execve()<strong>启动一个新程序，在此场景中内存空间被覆盖，</strong>所有旧环境变量将丢失</strong>。但是可以通过传参的方式传递旧的环境变量。</p>
<img src="https://s2.loli.net/2024/02/12/ZSOTq4bIvodnzNG.png" srcset="/img/loading.gif" lazyload alt="image-20240102154328886" style="zoom: 50%;" />

<h2 id="shell命令变量与环境变量"><a href="#shell命令变量与环境变量" class="headerlink" title="shell命令变量与环境变量"></a>shell命令变量与环境变量</h2><p><strong>相关命令</strong>：</p>
<ul>
<li>env命令：显示当前用户的环境变量</li>
<li>set命令：不加参数可以显示当前shell的所有本地设置的<strong>Shell变量</strong>，否则设置shell变量</li>
<li>unset命令：unset为shell内建指令，删除变量或函数。</li>
<li>export命令：显示(设置)当前导出成环境变量的shell变量(注意：export为bash或类bash私有的命令)</li>
<li>echo $变量名：查看变量值(其中，$变量：引用变量的意思)</li>
</ul>
<p>当shell程序启动时，它会将环境变量复制到自己的shell变量中。对shell变量所做的更改将不会反映出在环境变量上。</p>
<p><img src="/../img/5rLOqIHSgAGn3TQ.png" srcset="/img/loading.gif" lazyload alt="image-20240102155752108"></p>
<h3 id="proc文件系统"><a href="#proc文件系统" class="headerlink" title="&#x2F;proc文件系统"></a>&#x2F;proc文件系统</h3><p>&#x2F;proc是linux中的一个虚拟文件系统（放在内存中）。它包含每个进程的一个目录，使用进程ID作为目录的名称。<br>每个进程目录都有一个名为environ的虚拟文件，其中包含进程的环境变量。<br>例如：虚拟文件&#x2F;proc&#x2F;932&#x2F;environ 包含进程932的环境变量<br>命令“<code>strings /proc/$$/environ</code>”将打印出<strong>当前进程的环境变量</strong>(shell将把$$替换为它自己的进程ID)<br>当在bash shell中<strong>调用env</strong>程序时，它将在子进程中运行。因此，它打印出shell子进程的环境变量，而不是它自己的环境变量。</p>
<p>总结：</p>
<ul>
<li>set（无参数）可以打印当前的shell变量</li>
<li>export（无参数）可以显示当前导出成环境变量的shell变量</li>
<li><code>strings /proc/$$/environ</code>可以打印当前进程的环境变量</li>
<li>env可以打印当前进程的子进程的环境变量</li>
</ul>
<h2 id="set-UID"><a href="#set-UID" class="headerlink" title="set-UID"></a>set-UID</h2><p>允许用户以程序所有者的权限运行程序。 </p>
<p>每个进程都有两个用户ID。<br>Real UID (<strong>RUID</strong>):确定进程的真正所有者	<br>Effective UID (<strong>EUID</strong>): 标识进程的权限<br>访问控制基于EUID<br>当执行正常程序时 , RUID &#x3D; EUID, 它们都等于运行程序的用户的ID<br>当执行Set-UID时, RUID ≠ EUID. RUID还是用户 ID, 但是 EUID 是程序 owner的 ID.普通用户运行root用户所有的程序，以root权限运行。<br>如果程序归root所有，则程序以root权限运行。</p>
<h3 id="通过动态链接器进行攻击"><a href="#通过动态链接器进行攻击" class="headerlink" title="通过动态链接器进行攻击"></a>通过动态链接器进行攻击</h3><p>动态链接-使用环境变量，它将成为攻击面的一部分。</p>
<ul>
<li>动态链接节省内存</li>
<li>这意味着程序在编译期间未决定部分代码</li>
<li>如果用户可以影响丢失的代码，它们可能会损害程序的完整性</li>
<li>LD_PRELOAD 包含一个共享库的列表，链接器将首先搜索它；<br>如果没有找到所有函数，链接器将在几个文件夹列表中搜索，包括LD_LIBRARY_PATH指定的文件夹；<br>这两个变量都可以由用户设置，因此使他们有机会控制链接过程结果；<br>如果该程序是一个Set-UID程序，它可能会导致安全漏洞。</li>
</ul>
<p><strong>机制：</strong></p>
<p>现代编译器基本默认为动态链接,而动态链接就需要使用支持动态链接的程序库,而 <strong>LD_LIBRARY_PATH 和 LD_PRELOAD</strong> 就是与动态链接相关的两个环境变量，而这个两个环境变量可以被修改，那么结合 Set-UID 程序,便会导致安全问题,攻击者可能会编写 root 权限下运行的不安全函数,通过环境变量在链接阶段冒充真实函数来运行。</p>
<p>而动态链接器程序有一个防御机制,当进程的真实用户 ID 与有效用户 ID不 一 样 时 , 或 者 真 实 组 ID 与 有 效 组 ID 不 一 致 时 , 进 程 将 会 忽 LD_PRELOAD,LD_LIBRARY_PATH 环境变量。</p>

                
              </div>
            
            <hr/>
            <div>
              <div class="post-metas my-3">
  
    <div class="post-meta mr-3 d-flex align-items-center">
      <i class="iconfont icon-category"></i>
      

<span class="category-chains">
  
  
    
      <span class="category-chain">
        
  <a href="/categories/others/" class="category-chain-item">others</a>
  
  

      </span>
    
  
</span>

    </div>
  
  
</div>


              
  

  <div class="license-box my-3">
    <div class="license-title">
      <div>Environment-variable-attack</div>
      <div>https://jiashi19.gitee.io/2024/02/01/Environment-variable-attack/</div>
    </div>
    <div class="license-meta">
      
        <div class="license-meta-item">
          <div>作者</div>
          <div>Jiashi</div>
        </div>
      
      
        <div class="license-meta-item license-meta-date">
          <div>发布于</div>
          <div>2024年2月1日</div>
        </div>
      
      
      
        <div class="license-meta-item">
          <div>许可协议</div>
          <div>
            
              
              
                <a class="print-no-link" target="_blank" href="https://creativecommons.org/licenses/by/4.0/">
                  <span class="hint--top hint--rounded" aria-label="BY - 署名">
                    <i class="iconfont icon-by"></i>
                  </span>
                </a>
              
            
          </div>
        </div>
      
    </div>
    <div class="license-icon iconfont"></div>
  </div>



              
                <div class="post-prevnext my-3">
                  <article class="post-prev col-6">
                    
                    
                      <a href="/2024/02/04/%E6%81%B6%E6%84%8Fwindows%E7%A8%8B%E5%BA%8F/" title="恶意windows程序">
                        <i class="iconfont icon-arrowleft"></i>
                        <span class="hidden-mobile">恶意windows程序</span>
                        <span class="visible-mobile">上一篇</span>
                      </a>
                    
                  </article>
                  <article class="post-next col-6">
                    
                    
                      <a href="/2023/11/23/%E6%B8%97%E9%80%8F%E5%B7%A5%E5%85%B7%E6%80%BB%E7%BB%93/" title="渗透工具总结">
                        <span class="hidden-mobile">渗透工具总结</span>
                        <span class="visible-mobile">下一篇</span>
                        <i class="iconfont icon-arrowright"></i>
                      </a>
                    
                  </article>
                </div>
              
            </div>

            
          </article>
        </div>
      </div>
    </div>

    <div class="side-col d-none d-lg-block col-lg-2">
      
  <aside class="sidebar" style="margin-left: -1rem">
    <div id="toc">
  <p class="toc-header">
    <i class="iconfont icon-list"></i>
    <span>目录</span>
  </p>
  <div class="toc-body" id="toc-body"></div>
</div>



  </aside>


    </div>
  </div>
</div>





  



  



  



  



  







    

    
      <a id="scroll-top-button" aria-label="TOP" href="#" role="button">
        <i class="iconfont icon-arrowup" aria-hidden="true"></i>
      </a>
    

    
      <div class="modal fade" id="modalSearch" tabindex="-1" role="dialog" aria-labelledby="ModalLabel"
     aria-hidden="true">
  <div class="modal-dialog modal-dialog-scrollable modal-lg" role="document">
    <div class="modal-content">
      <div class="modal-header text-center">
        <h4 class="modal-title w-100 font-weight-bold">搜索</h4>
        <button type="button" id="local-search-close" class="close" data-dismiss="modal" aria-label="Close">
          <span aria-hidden="true">&times;</span>
        </button>
      </div>
      <div class="modal-body mx-3">
        <div class="md-form mb-5">
          <input type="text" id="local-search-input" class="form-control validate">
          <label data-error="x" data-success="v" for="local-search-input">关键词</label>
        </div>
        <div class="list-group" id="local-search-result"></div>
      </div>
    </div>
  </div>
</div>

    

    
  </main>

  <footer>
    <div class="footer-inner">
  
    <div class="footer-content">
       <a href="https://hexo.io" target="_blank" rel="nofollow noopener"><span>Hexo</span></a> <i class="iconfont icon-love"></i> <a href="https://github.com/fluid-dev/hexo-theme-fluid" target="_blank" rel="nofollow noopener"><span>Fluid</span></a> 
    </div>
  
  
    <div class="statistics">
  
  

  
    
      <span id="busuanzi_container_site_pv" style="display: none">
        总访问量 
        <span id="busuanzi_value_site_pv"></span>
         次
      </span>
    
    
      <span id="busuanzi_container_site_uv" style="display: none">
        总访客数 
        <span id="busuanzi_value_site_uv"></span>
         人
      </span>
    
    
  
</div>

  
  
  
</div>

  </footer>

  <!-- Scripts -->
  
  <script  src="https://lib.baomitu.com/nprogress/0.2.0/nprogress.min.js" ></script>
  <link  rel="stylesheet" href="https://lib.baomitu.com/nprogress/0.2.0/nprogress.min.css" />

  <script>
    NProgress.configure({"showSpinner":false,"trickleSpeed":100})
    NProgress.start()
    window.addEventListener('load', function() {
      NProgress.done();
    })
  </script>


<script  src="https://lib.baomitu.com/jquery/3.6.4/jquery.min.js" ></script>
<script  src="https://lib.baomitu.com/twitter-bootstrap/4.6.1/js/bootstrap.min.js" ></script>
<script  src="/js/events.js" ></script>
<script  src="/js/plugins.js" ></script>


  <script  src="https://lib.baomitu.com/typed.js/2.0.12/typed.min.js" ></script>
  <script>
    (function (window, document) {
      var typing = Fluid.plugins.typing;
      var subtitle = document.getElementById('subtitle');
      if (!subtitle || !typing) {
        return;
      }
      var text = subtitle.getAttribute('data-typed-text');
      
        typing(text);
      
    })(window, document);
  </script>




  
    <script  src="/js/img-lazyload.js" ></script>
  




  
<script>
  Fluid.utils.createScript('https://lib.baomitu.com/tocbot/4.20.1/tocbot.min.js', function() {
    var toc = jQuery('#toc');
    if (toc.length === 0 || !window.tocbot) { return; }
    var boardCtn = jQuery('#board-ctn');
    var boardTop = boardCtn.offset().top;

    window.tocbot.init(Object.assign({
      tocSelector     : '#toc-body',
      contentSelector : '.markdown-body',
      linkClass       : 'tocbot-link',
      activeLinkClass : 'tocbot-active-link',
      listClass       : 'tocbot-list',
      isCollapsedClass: 'tocbot-is-collapsed',
      collapsibleClass: 'tocbot-is-collapsible',
      scrollSmooth    : true,
      includeTitleTags: true,
      headingsOffset  : -boardTop,
    }, CONFIG.toc));
    if (toc.find('.toc-list-item').length > 0) {
      toc.css('visibility', 'visible');
    }

    Fluid.events.registerRefreshCallback(function() {
      if ('tocbot' in window) {
        tocbot.refresh();
        var toc = jQuery('#toc');
        if (toc.length === 0 || !tocbot) {
          return;
        }
        if (toc.find('.toc-list-item').length > 0) {
          toc.css('visibility', 'visible');
        }
      }
    });
  });
</script>


  <script src=https://lib.baomitu.com/clipboard.js/2.0.11/clipboard.min.js></script>

  <script>Fluid.plugins.codeWidget();</script>


  
<script>
  Fluid.utils.createScript('https://lib.baomitu.com/anchor-js/4.3.1/anchor.min.js', function() {
    window.anchors.options = {
      placement: CONFIG.anchorjs.placement,
      visible  : CONFIG.anchorjs.visible
    };
    if (CONFIG.anchorjs.icon) {
      window.anchors.options.icon = CONFIG.anchorjs.icon;
    }
    var el = (CONFIG.anchorjs.element || 'h1,h2,h3,h4,h5,h6').split(',');
    var res = [];
    for (var item of el) {
      res.push('.markdown-body > ' + item.trim());
    }
    if (CONFIG.anchorjs.placement === 'left') {
      window.anchors.options.class = 'anchorjs-link-left';
    }
    window.anchors.add(res.join(', '));

    Fluid.events.registerRefreshCallback(function() {
      if ('anchors' in window) {
        anchors.removeAll();
        var el = (CONFIG.anchorjs.element || 'h1,h2,h3,h4,h5,h6').split(',');
        var res = [];
        for (var item of el) {
          res.push('.markdown-body > ' + item.trim());
        }
        if (CONFIG.anchorjs.placement === 'left') {
          anchors.options.class = 'anchorjs-link-left';
        }
        anchors.add(res.join(', '));
      }
    });
  });
</script>


  
<script>
  Fluid.utils.createScript('https://lib.baomitu.com/fancybox/3.5.7/jquery.fancybox.min.js', function() {
    Fluid.plugins.fancyBox();
  });
</script>


  <script>Fluid.plugins.imageCaption();</script>

  <script  src="/js/local-search.js" ></script>

  <script defer src="https://busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js" ></script>





<!-- 主题的启动项，将它保持在最底部 -->
<!-- the boot of the theme, keep it at the bottom -->
<script  src="/js/boot.js" ></script>


  

  <noscript>
    <div class="noscript-warning">博客在允许 JavaScript 运行的环境下浏览效果更佳</div>
  </noscript>
</body>
</html>
